Difference between Security Group and Network ACL in AWS
1. Security Group :
Security group like a virtual firewall. It has inbound and outbound security rules in which all inbound traffic is blocked by default in private on AWS EC2. It does not allow particular protocol no one will able to access our instances using this protocol you can stop traffic by using that rule by default everything that is denied. There are various multiple security groups on EC2 instances. We can not block a specific IP address using that security group but using the network access list. In which we edit any rule a security group with faster effect.
2. Network Access Control List (Network ACL) :
Network ACL is a modifiable default network. It allows all the inbound or outbound IPv4 traffic and here we create a type of custom network all or each custom network ACL denies all inbound and outbound traffic. This network is the stateless and separate inbound and outbound rule with a default limit of 20 for both rules and starting with the lowest numbered rule. In which all subnet in VPC must be combined with network ACL one subnet -one network ACL at a time. It supports rules and deny rules and operate the subnet level.
Difference between Security Group and Network ACL :
|Security Group||Network Access Control List|
|In security group, we operate at instance level.||In network ACL, we operate sub net level.|
|It support only allow rules.||It support allow rules and deny rules.|
|It is stateful, when we create an inbound or an outbound rule.||It is stateless, it return traffic must be allowed explicitly.|
|We cannot block specific IP address using SGs.||We can block specific IP Address using NACL.|
|All rules are evaluated before deciding to permit trffic.||Rules are processed in number order when deciding whether allow traffic.|
|It start with instance launch configuration.||In which we assigned to subnet for all instance.|
|It applies when someone specifies security group when launching the instance and it associates with security group.||They do not depend on user it automatically apply all instances with subnet.|